Loading...
Important information about our services
Last Updated: February 24, 2026 Effective Date: February 24, 2026
Legal Entity: CMG FRAMEWORKS SRL Registered Address: Drumul NISIPOASA, Nr. 46-52, Lot 1/2, Bl. C, Scara C7, Etaj P, Ap. 3, București, Romania Contact Phone: +40 772 125 155 Email: support@cmgworkflow.com Data Protection Officer: dpo@cmgworkflow.com Supervisory Authority: ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between CMG FRAMEWORKS SRL ("Processor," "we," "us," or "our") and the Customer ("Controller," "you," or "your") who has agreed to the Terms of Service, to reflect the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Laws, in particular the EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679.
This DPA is entered into pursuant to Article 28 of the GDPR and shall be binding on both parties.
For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings given to them in the GDPR or the Agreement.
| Term | Definition | |------|------------| | Controller | The Customer who determines the purposes and means of the processing of personal data through the Service. The Customer subscribes to and uses the CRM platform as the entity deciding what data to collect and how it is used. | | Processor | CMG FRAMEWORKS SRL, which processes personal data on behalf of the Controller in the course of providing the Service. | | Sub-Processor | Any third party engaged by the Processor to process personal data on behalf of the Controller. | | Personal Data | Any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR. | | Processing | Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR. | | Data Subject | An identified or identifiable natural person whose personal data is processed under this DPA. | | Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the GDPR. | | Data Protection Laws | The GDPR, Romanian Data Protection Law 190/2018, the ePrivacy Directive (2002/58/EC), and any other applicable data protection legislation. | | Standard Contractual Clauses (SCCs) | The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Decision (EU) 2021/914. | | Technical and Organizational Measures (TOMs) | The security measures described in Annex 2 of this DPA, implemented to ensure a level of security appropriate to the risk of processing. |
The Customer acts as the Data Controller. The Controller determines the purposes and means of processing personal data through the Service, including:
CMG FRAMEWORKS SRL acts as the Data Processor. The Processor processes personal data solely on behalf of and in accordance with the documented instructions of the Controller, as set out in this DPA and the Agreement.
This DPA does not create a joint controller relationship. Each party retains its independent role and obligations under Data Protection Laws.
The processing concerns the provision of the CRM SaaS platform as described in the Agreement, including lead management, client management, WhatsApp messaging, AI-powered analysis, email integration, and related features.
Processing shall commence on the date the Controller first accesses or uses the Service and shall continue for the duration of the Agreement. Upon termination, processing shall cease subject to the data return and deletion provisions in Section 14 of this DPA.
The Processor processes personal data for the following purposes, strictly as instructed by the Controller:
| Purpose | Description | |---------|-------------| | CRM Operations | Storage, organization, retrieval, and management of lead and client records, including contact details, interaction history, and pipeline status | | WhatsApp Messaging | Sending and receiving messages via WhatsApp Business Cloud API on behalf of the Controller, including template messages, session messages, and media | | AI Analysis | Processing conversation content and lead data through Google Gemini Enterprise API for intent analysis, lead extraction, response suggestions, and conversation summarization | | Lead Management | Automated and manual processing of lead data through pipeline stages, assignment, qualification, and conversion workflows | | Email Integration | Processing inbound and outbound email communications, including Gmail import and rule-based lead creation | | Analytics and Reporting | Aggregation and analysis of CRM data to generate reports, dashboards, and performance metrics for the Controller | | User Authentication | Processing user account data for authentication, authorization, and session management | | Billing and Subscription | Processing subscription and payment-related data through Stripe for billing purposes |
The following categories of personal data may be processed through the Service:
Personal data processed under this DPA may relate to the following categories of data subjects:
| Category | Description | |----------|-------------| | Leads | Prospective customers whose contact information and communication history are managed through the Service | | Clients | Existing customers of the Controller whose business relationship data is stored in the Service | | End Users | Individuals who communicate with the Controller via WhatsApp or email through the Service | | Employees / Team Members | The Controller's employees, agents, and team members who have accounts on the Service |
The Controller shall:
In accordance with Article 28(3) of the GDPR, the Processor shall:
The Controller hereby grants general written authorization for the Processor to engage the following sub-processors:
| Sub-Processor | Location | Purpose | Data Processed | |---------------|----------|---------|----------------| | Supabase Inc. | United States | Database hosting, authentication, and real-time data services | All CRM data, user accounts, authentication tokens | | Meta Platforms / WhatsApp | United States / EU | WhatsApp Business Cloud API messaging services | WhatsApp messages, phone numbers, conversation metadata | | Google (Gemini Enterprise API) | United States | AI-powered conversation analysis, lead extraction, and response generation | Conversation content, lead data submitted for AI processing | | Stripe Inc. | United States | Payment processing, subscription management, and billing | Payment information, subscription data, billing history | | Sentry (Functional Software Inc.) | United States | Application error monitoring and performance tracking | Error logs, stack traces (may include anonymized user context) | | Vercel Inc. | United States | Application hosting, deployment, and content delivery | Application code, server-side rendered content, access logs |
Exclusive Remedy: The Controller's sole and exclusive remedy for sub-processor failures shall be a claim against the Processor (not directly against the sub-processor). The Processor shall pursue remedies against the sub-processor on the Controller's behalf where appropriate. The Processor's aggregate liability for sub-processor failures is subject to the liability limitations in the Agreement (Terms of Service), except for liability arising from the Processor's failure to conduct adequate due diligence on the sub-processor or failure to impose contractually equivalent data protection obligations.
The breach notification shall include, at minimum:
The Processor shall assist the Controller in responding to data subject requests exercising their rights under GDPR Chapter III, including:
The Service provides the following features to assist Controllers in fulfilling data subject rights:
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR.
The Processor may satisfy audit requests by providing:
Where personal data is transferred from the European Economic Area (EEA) to countries that have not received an adequacy decision from the European Commission, the Processor shall ensure that appropriate safeguards are in place, including:
Where a TIA indicates that SCCs alone do not provide sufficient protection, the Processor shall implement supplementary measures, which may include:
Several sub-processors are located in the United States. The Processor relies on the following mechanisms for US transfers:
Post-Schrems II Supplementary Measures: In accordance with the CJEU judgment in Case C-311/18 (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, July 16, 2020) and EDPB Recommendations 01/2020, the Processor implements the following supplementary technical measures for transfers to the United States:
The Processor acknowledges that these supplementary measures may not prevent lawful access requests by US governmental authorities under FISA Section 702 or Executive Order 12333. The EU-US Data Privacy Framework (DPF) adequacy decision of July 10, 2023 currently provides a legal basis for US transfers, but the Processor monitors developments and will notify the Controller within thirty (30) days if the DPF adequacy decision is invalidated or materially altered.
The Controller may export personal data from the Service at any time using the data export functionality provided (CSV, JSON formats).
Upon termination or expiration of the Agreement:
The Processor shall be liable for damages caused by processing that does not comply with the obligations of the GDPR specifically directed to processors, or where the Processor has acted outside of or contrary to the Controller's lawful instructions.
The Controller shall be liable for damages caused by processing that does not comply with the GDPR, including where the Controller has provided unlawful instructions to the Processor.
This DPA shall remain in effect for the duration of the Agreement between the parties. It shall automatically terminate upon termination or expiration of the Agreement, subject to the survival provisions below.
Either party may terminate this DPA immediately upon written notice if the other party materially breaches this DPA and fails to cure such breach within 30 calendar days of receiving written notice specifying the breach.
The following provisions shall survive termination or expiration of this DPA:
This DPA may be amended only by a written instrument signed or electronically accepted by both parties, except that:
If changes to Data Protection Laws require modifications to this DPA, the Processor shall notify the Controller and propose appropriate amendments. The parties shall negotiate in good faith to agree on necessary changes within a reasonable timeframe.
This DPA shall be governed by and construed in accordance with the laws of Romania, without regard to its conflict of laws principles. Where the GDPR applies, it shall take precedence over conflicting provisions of Romanian national law.
Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts of București, Romania, without prejudice to the rights of data subjects to lodge complaints with their local supervisory authority or courts under GDPR Articles 77-79.
The lead supervisory authority for the Processor is the ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal), Romania.
This DPA, together with the Agreement and its annexes, constitutes the entire agreement between the parties regarding the processing of personal data and supersedes all prior agreements, representations, and understandings.
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be replaced with a valid provision that achieves the original intent to the greatest extent possible.
In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
This DPA does not confer any rights on any third party, except that data subjects may enforce their rights under the GDPR and the Standard Contractual Clauses as third-party beneficiaries where applicable.
| Element | Description | |---------|-------------| | Subject Matter | Provision of CRM SaaS platform services | | Duration | For the term of the Agreement between Controller and Processor | | Nature of Processing | Collection, storage, organization, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction | | Purpose | CRM operations, WhatsApp messaging, AI analysis, lead/client management, email integration, analytics, authentication, and billing | | Types of Personal Data | Contact information, communication content, behavioral data, financial data, technical data (see Section 5) | | Categories of Data Subjects | Leads, clients, end users, employees/team members of the Controller (see Section 6) | | Applicable Competent Supervisory Authority | ANSPDCP, Romania |
The Processor implements the following technical and organizational measures to protect personal data:
| Measure | Implementation | |---------|---------------| | Encryption at rest | AES-256 encryption for all stored personal data, including database records and file storage (provided by Supabase infrastructure) | | Encryption in transit | TLS 1.3 for all data transmitted between the Service, users, and sub-processors | | Key management | Encryption keys are managed by the infrastructure provider (Supabase/AWS) with regular key rotation | | Backup encryption | All backup data is encrypted using the same standards as production data |
| Measure | Implementation | |---------|---------------| | Row-Level Security (RLS) | PostgreSQL Row-Level Security policies enforce data isolation at the database level, ensuring each organization can only access its own data | | Role-Based Access Control (RBAC) | Four-tier permission model (Owner, Admin, Agent, Viewer) with granular resource-level permissions | | Authentication | Secure authentication via Supabase Auth with support for email/password and social login providers | | Session management | JWT-based session tokens with configurable expiration and secure cookie handling | | Least privilege | Access to personal data is restricted to personnel who require it for their specific role |
| Measure | Implementation |
|---------|---------------|
| Database-level isolation | RLS policies on all tables containing personal data, keyed on organization_id |
| Application-level isolation | Middleware and server-side checks enforce tenant boundaries on every request |
| API isolation | All API endpoints validate organization membership before processing requests |
| No cross-tenant access | Architectural design prevents any organization from accessing another's data |
| Measure | Implementation | |---------|---------------| | Automated backups | Daily automated backups of all data with point-in-time recovery capability | | Geographic redundancy | Backups stored in geographically separate locations from primary data | | Recovery testing | Regular testing of backup restoration procedures | | Retention | Backup retention in accordance with the data retention policy, with deletion upon Controller request or termination |
| Measure | Implementation | |---------|---------------| | Confidentiality agreements | All personnel with access to personal data are bound by confidentiality obligations | | Background checks | Conducted in accordance with applicable law for personnel handling personal data | | Training | Regular data protection and security awareness training for all relevant personnel | | Access revocation | Immediate revocation of access upon termination of employment or change of role |
| Measure | Implementation | |---------|---------------| | Detection | Automated monitoring and alerting systems for security incidents (Sentry error monitoring, application-level logging) | | Response plan | Documented incident response procedures with defined roles and escalation paths | | Notification | Breach notification to Controllers within 48 hours of becoming aware of a Personal Data Breach | | Post-incident review | Root cause analysis and remediation following all security incidents | | Documentation | All incidents documented with timeline, impact assessment, and remediation actions |
| Measure | Implementation | |---------|---------------| | Secure development | Security-focused development practices including code review and automated security scanning | | Input validation | Server-side validation of all user inputs using Zod schemas to prevent injection attacks | | Dependency management | Regular monitoring and updating of third-party dependencies for known vulnerabilities | | Error handling | Structured error handling that prevents exposure of sensitive information in error messages | | Rate limiting | API rate limiting to prevent abuse and protect against denial-of-service attempts |
| Measure | Implementation | |---------|---------------| | HTTPS only | All connections to the Service require HTTPS; HTTP requests are redirected | | CORS policy | Strict Cross-Origin Resource Sharing policy limiting API access to authorized origins | | Webhook security | HMAC signature verification for all inbound webhooks (WhatsApp, Stripe, Gmail) | | DDoS protection | Distributed denial-of-service protection provided by the hosting infrastructure (Vercel) |
The Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference into this DPA for international transfers of personal data to sub-processors in countries without an adequacy decision.
The full text of the SCCs is available from the European Commission at EUR-Lex and is deemed incorporated in its entirety.
For questions about this Data Processing Agreement, contact:
CMG FRAMEWORKS SRL Drumul NISIPOASA, Nr. 46-52, Lot 1/2, Bl. C, Scara C7, Etaj P, Ap. 3 București, Romania
This Data Processing Agreement is effective as of February 24, 2026.